skip to main content
10.1145/2448556.2448574acmconferencesArticle/Chapter ViewAbstractPublication PagesicuimcConference Proceedingsconference-collections
research-article

Realization of dynamic behavior using remotely verifiable n-call slides in Unix process execution trace

Published: 17 January 2013 Publication History

Abstract

Trusted computing presents a technique called remote attestation which helps in verifying the trustworthiness of a client's system. Generally known and mostly used methods to verify a target system's integrity are mostly static in nature. For the purpose of mitigating this problem many approaches have been presented. However, none of these are feasible either because of implementation complexity or because of an unrealistically high bandwidth requirement. In this paper, we propose STIDE-R, an approach that utilizes the concepts of the seminal work presented by STIDE -- a technique that measures the behavior of an application based on the sequence of system calls made. We focus on how to shorten the length of data that needs to be reported to the challenger. The principle advantage achieved is detection of zero-day malware at a remote system without incurring infeasible performance overhead. Further, the proposed architecture considers two dimensions as the most important for successful implementation of dynamic behavior attestation. These are to minimize the processing time on the target remote platform and to tackle the network overhead efficiently.

References

[1]
focus-ids mailing list. Available at: http://www.securityfocus.com/focus/ids/list/focus_idsfaq.html.
[2]
S. Axelsson. Intrusion detection systems: A survey and taxonomy. Technical report, Department of Computer Engineering, Chalmers University, 2000.
[3]
R. Bace and P. Mell. Nist special publication on intrusion detection systems. Technical report, DTIC Document, 2001.
[4]
R. G. Bace. Intrusion detection. Sams, 2000.
[5]
L. Davi, A. R. Sadeghi, and M. Winandy. Dynamic integrity measurement and attestation: towards defense against return-oriented programming attacks. In Proceedings of the 2009 ACM workshop on Scalable trusted computing, pages 49--54. ACM, 2009.
[6]
H. Debar, M. Becker, and D. Siboni. A neural network component for an intrusion detection system. In Research in Security and Privacy, 1992. Proceedings., 1992 IEEE Computer Society Symposium on, pages 240--250. IEEE, 1992.
[7]
D. E. Denning. An intrusion-detection model. Software Engineering, IEEE Transactions on, (2): 222--232, 1987.
[8]
Y. Du, H. Wang, and Y. Pang. A hidden markov models-based anomaly intrusion detection method. In Intelligent Control and Automation, 2004. WCICA 2004. Fifth World Congress on, volume 5, pages 4348--4351. IEEE, 2004.
[9]
S. Forrest, SA Hofmeyr, A. Somayaji, and TA Longstaff. A sense of self for unix processes. In 1996 IEEE Symposium on Security and Privacy, 1996. Proceedings., pages 120--128, 1996.
[10]
Liang Gu, Yueqiang Cheng, Xuhua Ding, Robert Deng, Yao Guo, and Weizhong Shao. Remote Attestation on Function Execution. In InTrust'09: Proceedings of the 2009 International Conference on Trusted Systems, 2009.
[11]
Liang Gu, Xuhua Ding, Robert Deng, Bing Xie, and Hong Mei. Remote Attestation on Program Execution. In STC '08: Proceedings of the 2008 ACM Workshop on Scalable Trusted Computing, New York, NY, USA, 2008. ACM.
[12]
S. A. Hofmeyr, S. Forrest, and A. Somayaji. Intrusion detection using sequences of system calls. Journal of Computer Security, 6(3): 151--180, 1998.
[13]
Trent Jaeger, Reiner Sailer, and Umesh Shankar. PRIMA: Policy-Reduced Integrity Measurement Architecture. In SACMAT '06: Proceedings of the eleventh ACM Symposium on Access Control Models and Technologies, pages 19--28, New York, NY, USA, 2006. ACM Press.
[14]
G. H. Kim and E. H. Spafford. Experiences with tripwire: Using integrity checkers for intrusion detection. 1994.
[15]
Peter A. Loscocco, Perry W. Wilson, J. Aaron Pendergrass, and C. Durward McDonell. Linux Kernel Integrity Measurement Using Contextual Inspection. In STC '07: Proceedings of the 2007 ACM Workshop on Scalable Trusted Computing, pages 21--29, New York, NY, USA, 2007. ACM.
[16]
J. M. McCune, B. J. Parno, A. Perrig, M. K. Reiter, and H. Isozaki. Flicker: An execution infrastructure for TCB minimization. In Proceedings of the 3rd ACM SIGOPS/EuroSys European Conference on Computer Systems 2008, pages 315--328. ACM, 2008.
[17]
B. Mehdi, F. Ahmed, S. A. Khayyam, and M. Farooq. Towards a Theory of Generalizing System Call Representation For In-Execution Malware Detection. In ICC'10: Proceedings of the IEEE International Conference on Communications, 2010.
[18]
D. Mutz, W. Robertson, G. Vigna, and R. Kemmerer. Exploiting execution context for the detection of anomalous system calls. In Recent Advances in Intrusion Detection (RAID'07), pages 1--20. Springer, 2007.
[19]
M. Ranum. Intrusion detection: challenges and myths. Network Flight Recorder, Inc. whitepaper at http://www. nfr. com, 1998.
[20]
Reiner Sailer, Xiaolan Zhang, Trent Jaeger, and Leendert van Doorn. Design and Implementation of a TCG-based Integrity Measurement Architecture. In SSYM'04: Proceedings of the 13th conference on USENIX Security Symposium, 2004.
[21]
R. Sekar, M. Bendre, D. Dhurjati, and P. Bollineni. A fast automaton-based method for detecting anomalous program behaviors. In Security and Privacy, 2001. S&P 2001. Proceedings. 2001 IEEE Symposium on, pages 144--155. IEEE, 2001.
[22]
H. Shacham. The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86). In Proceedings of the 14th ACM conference on Computer and Communications Security (CCS'08), pages 552--561. ACM New York, NY, USA, 2007.
[23]
TCG. TCG Specification Architecture Overview v1.2, page 11--12. Technical report, Trusted Computing Group, April 2004.
[24]
TCG. Trusted Computing Group, 2012. http://www.trustedcomputinggroup.org/.
[25]
W. O. Wilson, J. Feyereisl, and U. Aickelin. Detecting Motifs in System Call Sequences. In 8th international workshop on Information security applications, page 157. Springer, 2007.

Index Terms

  1. Realization of dynamic behavior using remotely verifiable n-call slides in Unix process execution trace

      Recommendations

      Comments

      Information & Contributors

      Information

      Published In

      cover image ACM Conferences
      ICUIMC '13: Proceedings of the 7th International Conference on Ubiquitous Information Management and Communication
      January 2013
      772 pages
      ISBN:9781450319584
      DOI:10.1145/2448556
      Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

      Sponsors

      Publisher

      Association for Computing Machinery

      New York, NY, United States

      Publication History

      Published: 17 January 2013

      Permissions

      Request permissions for this article.

      Check for updates

      Author Tags

      1. dynamic behavior
      2. intrusion detection system
      3. remote attestation
      4. security
      5. trusted computing

      Qualifiers

      • Research-article

      Conference

      ICUIMC '13
      Sponsor:

      Acceptance Rates

      Overall Acceptance Rate 251 of 941 submissions, 27%

      Contributors

      Other Metrics

      Bibliometrics & Citations

      Bibliometrics

      Article Metrics

      • 0
        Total Citations
      • 78
        Total Downloads
      • Downloads (Last 12 months)1
      • Downloads (Last 6 weeks)0
      Reflects downloads up to 08 Feb 2025

      Other Metrics

      Citations

      View Options

      Login options

      View options

      PDF

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader

      Figures

      Tables

      Media

      Share

      Share

      Share this Publication link

      Share on social media